One unsafe password leads to ICO fine for charity

On June 8th, the Information Commissioner’s Office announced that it had fined the Bible Society £100,000 after a breach into its internal IT network put supporters data at risk. Although the cyber-attack took place in 2016 and was investigated by the ICO under the Data Protection Act 1998, there was a great deal of interest within the sector as it was the first occasion since the implementation of the new General Data Protection Regulation (GDPR) that the ICO has finalised enforcement action against a charity.

What is startling is the how such a basic lack of cyber security caused the breach – the Bible Society’s IT network had inappropriate access rights for remote usage, and hackers were able to enter their systems using an easy to guess password. Click here for the full ICO statement.

Whilst the Bible Society is a larger charity (with an annual income of more than £19 million), this story demonstrates that basic IT security should be high on the priority list of charities, both large and small, to ensure that the personal data of supporters and beneficiaries is kept secure.

In the lead up to GDPR implementation on May 25th, our sector was working hard to ensure that it was complying with the new legislation by updating privacy notices and refreshing consent for mailing lists, amongst many other measures. But it is vitally important that small charities do not lose sight of IT security in an age of remote working and cloud based solutions.

Make sure that your charity is protected from the most common forms of cyber threat by following the guidance contained within the Small Charity Guide published by the National Centre for Cyber Security: https://www.ncsc.gov.uk/charity


Martin George is the Programme and Compliance Manager at the FSI.